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We deal with the issues in the Examiner's Answer (hereinafter the "Answer") in order of 
complexity, out of the orders in which the rejections have been stated and previously argued. 

Claims 7, 9, 17, and 27 are rejected under 35 U.S.C. 112, f2. Appellant rests on the 
5 arguments of record in its Appeal Brief. 

Independent claims 21 and its dependent claims 22-30 are rejected under 35 U.S.C. 
§ 101. In essence, the Examiner's rationale here seems to be that claims 21-29 are computer 
programs because he says they are, and that claim 30 is a computer program because Appellant 

10 concedes such in the claim itself. In the Answer the Examiner twice states "claims 21 - 30, they 
comprise a computer program (e.g. dependent claim 30 explicitly recites that the system is 
software). Computer software per se. fails to fall within any one of the statutory categories of 
invention" (Answer, pg. 4 and 16-17), and nowhere else in the Answer is this rejection further 
supported or argued. 

15 With respect to claims 21-29 this is clear error. These claims nowhere recite "program" 

or "software," so there is no reasonable basis for the Examiner to conclude that they comprise 
such. Claim 21 recites "means for making a copy of [a] security descriptor," "means for adding 
[an ACL]," and "means for overwriting the security descriptor." Obviously, a computer program 
or software cannot make a copy or add or overwrite something without a processor to execute it; 

20 memories in which the program/software resides; and memories containing the sources and 
targets of the copying, adding, and overwriting. Those of ordinary skill in the art will clearly 
appreciate that the three means-elements here must comprise more than just a compute program 
or software. Claims 22-29 depend from claim 21 and similarly do not recite "program" or 
"software." 

25 Next consider claim 30, which recites "The system of claim 21, wherein said means are 

comprised within a single software tool." Taken in the abstract, claim 30 is poorly drafted, but 
as a practical matter there should be no question that one of ordinary skill in the art will 
understand its meaning. Clearly a computer with its processor(s), memory(s), etc. cannot 
literally be inside a "software tool." What Appellant says in claim 30 is that the instructions (or 

30 equivalents) that are part of its means for copying, the instructions that are part of its means for 
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adding, and the instructions that are part of its means for overwriting are all contained in a single 
software tool. 

Claims 21-29 should be examined on the basis of what they recite, not based on what the 
Examiner sees in claim 30. And claim 30 should be examined on the basis of what one of 
5 ordinary skill in the art will read in it. Claim 21-30 should be allowed. 

Claims 1-30 are rejected under 35 U.S.C. 102(e) in view of U.S. Pub. App. 
2004/10215650 by Shaji et al. With respect to this prosecution generally, Appellant's position 
remains that "the Examiner has not even bothered to articulate a prima facie case for ... 

10 rejection" {see e.g., Brief, pg. 10, In. 15-16). The Examiner has a lot of quibbles in the Answer 
(some valid, but still non-deteraiinative) with how Appellant has presented examples showing 
this, but the underlying problem here is that the Examiner has merely quoted claim elements, 
added minimalist parentheticals citing locations in the Shaji reference that are apparently felt 
relevant, and never actually articulated the basis' for the rejections. For example, both of the 

15 Office Actions state and now also the Examiner's Answer states {pg. 6): 

Regarding claim 1. Shaji discloses: 

making a copy of the security descriptor (par. 18. 91 ) : 

adding a new access control entry (ACE) to the DACL in said copy, 
wherein said new ACE specifies denying the locally privileged group an access 
20 right to the securable object (par. 18. 19. 89) : 

and overwriting the security descriptor in the operating system with said 
copy (par. 18) . (underline added and here showing the only text by the Examiner) 

This is not proper. The cited sections of Shaji do not literally recite the text of claim 1. 
In fact, in many of them there is no apparent relevance at all and the reader is left wondering 
25 what the basis is for the Examiner's implied assertions that a section is relevant. 

It was not critical to the issue of obviousness before it, so it is perhaps even more 
interesting that our Supreme Court recently felt it important enough to reiterate and remind us all 
that "there must be some articulated reasoning with some rational underpinning to support [a] 

legal conclusion" {KSR, 550 U.S. at , 82 USPQ2d at 1396 wherein the Court was quoting In 

30 re Kahn, 441 F.3d 977, 988, 78 USPQld 1329, 1336 (Fed. Cir. 2006)). 

Appellant has done its best in this situation, trying in our Responses to the Office Actions 
and in our Appeal Brief (hereinafter the "Brief) to show that the cited sections of Shaji cannot 
support a rejection. 
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Turning now to the substance of the Answer, at page 8 it states "Shaji anticipates claims 

1-30:," it then devotes the next paragraph to quoting Appellant's Brief, and then it states "First, it 

is noted that the appellant erroneously asserts that claim 1 recites that a "securable object" 

includes a "discretionary access control list"" {underline emphasis added here and hereinafter). 

5 The Examiner has a valid point here, albeit a non-determinative one. Appellant's Brief states: 

... As is well known to artisans in this field, many things in an operating system 
can have security descriptors. The only one that is relevant here, however, is "a 
security descriptor for the securable object" and further that this securable object 
be one that "includes a discretionary access control list (DACL)" (claim 1). There 
10 are no arguments in the record that Shaji teaches these. {Brief, pg. 10, In. 20-24) 

And it should more correctly have stated: 

... As is well known to artisans in this field, many things in an operating system 
can have security descriptors. The only one that is relevant here, however, is "a 
security descriptor for the securable object" and further that this security 
15 descriptor be one that "includes a discretionary access control list (DACL)" 

(claim 1). There are no arguments in the record that Shaji teaches these. 

Appellant's underlying point here remains, however, that Shaji does not support the rejection 

because it fails to teach all of the elements of the claimed invention. Further support for this 

underlying point is provided in Appellant's Brief (pg. 10, In. 12 through pg. 12, In. 17). 

20 The Answer further states "Second, the examiner notes the appellant's argument 

respecting the preamble of claim 1 (specifically, "The only one that is relevant here, however, is 
"a security descriptor for the securable object")" {Answer, pg. 9). The Examiner is being 
disingenuous. The actual sentence at issue in our Brief states "The only one that is relevant here, 
however, is "a security descriptor for the securable object" and further that this securable object 

25 [security descriptor] be one that "includes a discretionary access control list (DACL)" (claim 1)" 
{Brief, pg. 10, In. 21-23). Even with Appellant's error it is clear in the relevant paragraph in our 
Brief (page 10, lines 17-27) that Appellant is arguing that Shaji at [0018] and [0091] does not 
teach DACLs, and that whatever securable objects or security descriptors Shaji may teach at 
[0018] and [0091] are not relevant to claim 1. 

30 The Answer further states "Third, it is noted, that the appellant appears to argue that the 

cited prior art security descriptors are not "copied"" (Answer, pg. 9). The Examiner is again 
being disingenuous. What Appellant's actually states is "To the extent that any security 
descriptor is "copied" here in Shaji, this is not applicable to the relevant context." (Brief, pg. 10, 
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In. 19-20). The Examiner knows that DACLs are a major element in the claimed invention and 
that Appellant is arguing that, yet he wants to ignore this here. 

The Answer further states "Finally, the examiner notes that the appellant appears to argue 
that the prior art does not disclose a "discretionary access control list" or DACL . In response, the 
5 examiner respectfully points out that the prior art abundantly discloses that security descriptors 
comprise access control lists (ACLs) for permissions (e.g. see Shaji, par. 18, 19, 74, 75, 79, 91, 
93)" {Answer, pg. 9). However, while a DACL is a special type of an ACL {see e.g. Brief at pg. 
10, In. 1-6; Specification at [0038] and any number of industry references), an ACL is not 
necessarily a DACL and there is no reason to conclude that Shaji is teaching a DACL in any of 

10 [0018]-[0019], [0074]-[0075], or [0091]. 

Paragraph [0093] of Shaji is newly cited for the first time in this prosecution. Appellant 
previously stated that "Shaji nowhere teaches or discusses a discretionary access control list" 
{Brief, pg. 11, In. 1-2) and the text "For eachACE in sd.Dacl" in [0093] of Shaji appears to be a 
counter example (and apparently the only counter example) showing that we were mistaken. But 

15 is this relevant? Apparently not, the Examiner has not argued that this reads on Appellant's 

DACL-based limitations in any of the claims. Such an argument would fail. For example, claim 
1 recites "adding a new access control entry (ACE) to the DACL in [the just made] copy, 
wherein said new ACE specifies denying the locally privileged group an access right to the 
securable object." Shaji at [0093] is not teaching this - and nowhere else is Shaji apparently 

20 teaching anything about DACLs. Claim 1 also recites "making a copy of the security descriptor" 
and "overwriting the security descriptor ... with said copy" wherein "wherein [that] security 
descriptor ... includes [the] discretionary access control list (DACL)." There is no articulated 
reasoning in the record that Shaji teaches all of this. It does not teach all of this. 

The next paragraphs in the Answer {pg. 10-11) are strange. Obviously the Examiner does 

25 not like how we have paraphrased the structure of his prior arguments, but he fails to state what 
the structure of those arguments actually is. Oddly he then states "However, the Examiner 
simply has not done this and there similarly is nothing in the record explaining why the 
Examiner feels that Shaji teaches any of the DACL related/specific limitations recited in claim 
1." We completely agree, there is no articulated reasoning in the record that Shaji teaches these 

30 limitations in claim 1 (much less all the relevant limitations). Accordingly, we again urge that a 
prima facie case has not been made and that at least claim I should be allowed. 
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The next paragraph in the Answer (pg. 11, bottom) is time wasting obfiiscation. 
Appellant cited Wildpedia for a succinct statement of something that has been a widely known 
feature of many operating systems for well over a decade. The Examiner took the initiative to 
check the time stamps on the Wikipedia entry, which post-date the filing of Appellant's 
5 application, but the Examiner did not bother to read the short definition in that Wikipedia entry, 
which states "These entries are known as access control entries (ACEs) in the Microsoft 
Windows, Open VMS, Linux and Mac OS X operating systems." All of these well known OSs 
pre-date the filing of Appellant's application. 

The next paragraph in the Answer (pg. 12) has the Examiner first arguing that he does not 
10 have to articulate a rational for the rejection and ending with the statement "Shaji teaches the 
claimed ACL." However, claim 1 does not recite an ACL, it recites a DACL. 

The next paragraph in the Answer (pg. 12, middle) is introduction, and the next covers a 
point we have conceded (that Shaji teaches a DACL, but not that it teaches the use of one as 
recited in the claims). The next paragraph in the Answer then states: 

15 Second, the examiner respectfully notes that the appellant, while admitting that 

the word ACE appears throughout the disclosure of Shaji - including paragraph 
89, asserts that the prior art must fail to disclose an ACE because the word "ACE" 
does not appear within paragraphs 19 and 19 [SIC, "18 and 19"?] of Shaji. In 
response, the examiner finds the appellant's argument to be unpersuasive because 

20 it amounts to mere allegation . {Answer, pg. 12-13) 

Respectfully, it would be useful if the Examiner would define "mere allegation" for the record, 
but in any case the above does not correctly say what Appellant has said. Appellant's Brief 
states: 

In fact, in [0018] and [0019] Shaji also does not teach an access control entry 
25 (ACE). If Shaji did, it would presumably have used the industry standard term 

"access control entry" or the industry standard acronym "ACE," as it does 
elsewhere, including [0089]. As for [0089], this is merely a recitation of entirely 
conventional ACE characteristics. Shaji nowhere teaches denying anything that is 
relevant to this matter, especially not by using a new ACE, or denjdng something 
30 to a locally privileged group, and not to all of these also with the other limitations 

recited in claim 1. (pg. 11, In. 24-30, underline here in the original) 

The next paragraph in the Answer states "the examiner notes the appellant's argument 

that the prior art fails to disclose denying "a locally privileged group". In response, the examiner 

respectfully notes that the prior art clearly discloses ... see for example, Shaji, par. 3-5, 16 -19, 

35 74, 79, 89, 92)" (Answer, pg. 13, middle). However, what the examiner sees here and what Shaji 
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actually discloses here are either not relevant or we need some explanation from the Examiner of 
how that is. None of these paragraphs uses the words "deny," "locally," "privileged," or any 
apparent variants of these other than the phrase "local computer, domain, and network security 

settings" in [0004]. 

5 The next paragraph in the Answer {pg. 13-14) is introduction, and the next states "the 

examiner respectfully notes that Shaji clearly discloses "overwriting the security descriptor in the 
operating system with said copy". ... (Shaji, par. 18, see also par. 91, 104, 107)" {Answer, pg. 
14). However Shaji at [0018] and [0091] merely discuss initial loading of a security descriptor, 
not overwriting an existing one. At [0107] Shaji discusses adding something to a security 

10 descriptor, not loading, unloading, overwriting or anything else relevant here. At [0104] Shaji at 
least discusses changing a security descriptor, but what is discussed here even in this respect 
teaches away from claim 1 as a whole by stating "if the peraiission is already set, additional 
ACEs should not be added to the security descriptor, since it will cause unnecessary increase in 
the data structure in the directory service." 

15 Moving on to claim 2, with respect to this the Answer quotes part of the Brief (pg. 12, 

In. 19), apparently for no reason whatsoever, unless conceding a point and rendering the rest 
stated below moot. Then the Answer proceeds in the next paragraph to argue the text in the 
Brief (pg. 12, In. 20 onward) after that quote. The Brief here points out that the Examiner has 
argued by implication (merely quoting claim text and adding "(par. 13, 64)") that Shaji teaches a 

20 relative identifier (RID) {see e.g., the Answer at pg. 6, which states the same as both Office 
Actions). Appellant has counter argued "the cited paragraphs do not teach a relative identifier 
(RID), much less one used in the specific manner recited in the claim" {Brief, pg. 12, In. 23-24). 
In [0013] and [0064] Shaji uses the term "identity," not "identifier" and not "relative" or any 
apparent variant of that term. Again, if this is relevant, that is not readily apparent and the 

25 burden should be on the Examiner to articulate the reasoning for the rejection. 

Now the Examiner appears to be attempting an argument that if an object has an identity 
it must have an identifier and that this is equivalent to Appellant's relative identifier (RID). 
However, even accepting for the sake of argument that [0013] and [0064] in Shaji somehow do 
teach determining the RID of a securable object, we are still waiting on the Examiner to explain 

30 how [0013] and [0064] in Shaji then teach using that for "finding the security descriptor for the 
securable object." Notably, while using the term "security descriptor" in many other parts of its 
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disclosure and clearly knowing when and when not to use this term of art, Shaji does not use it in 
[0013] and [0064]. The burden should be on the Examiner to at least explain why [0013] and 
[0064] are relevant to "finding the security descriptor for the securable object based on [a] RID" 

(claim 2). 

5 The Answer here further states (pg. 14, bottom) "Applicant's arguments fail to comply 

with 37 CFR 1.111(b) because they amount to a general allegation Respectfully, the 

Examiner has failed to even state a prima face case and yet he apparently wants to label 

Appellant's pointing that out as "general allegation." 

Moving on to claim 3, for the first time in this prosecution the Examiner cites [0019], 

10 [0074], [0089], or [0091] against claim 3 - but they as well do not teach "comprising examining 

the DACL to discover whether said access right is already denied" {claim 3). In general, 

however, Appellant here as well rests on the arguments of record in its Appeal Brief. 

Moving on to claim 5, the Brief and the Answer are not as helpful here as the following. 

Claim 5 recites "The method of claim 1, wherein the securable object is a group other than a 

15 local administrators group." The Office Actions cite and now the Answer as well cite only 

[0004] of Shaji with no articulated reasoning of anything. Paragraph [0004] is in the 

Background of the Invention section of Shaji and it states: 

In such a network, Group Policy can be used to specify many of the 
settings for a user and computer, including registry-based policy settings used to 

20 configure and specify behavior of the operating system and optionally application 

programs based on settings in various computer systems' registries, and script- 
related policy settings control scripts for computer startup and shutdown, and user 
logon and logoff. Group policy can also specify particular software programs for 
groups of users and/or machines, as Group Policy includes settings for centrally 

25 managing the installation, updates, and removal of application programs and 

components. Security options are also provided by policy settings, e.g., for local 
computer, domain, and network security settings. Folder redirection options, 
which allow administrators to redirect users' special folders to the network, also 
may be managed via Group Policy, as can Internet Explorer Maintenance, which 

30 is used to manage settings related to Internet Explorer and Remote Installation 

Services options, which are used to manage client configuration options that users 
see when performing Remote Installation Services-based installs. Internet 
Protocol Security Settings and Wireless settings can also be deployed through 
Group Policy, and public key policy settings, as well as software restriction 

35 policies can also be managed. 

As key facts, it can be observed that this paragraph does not include the words 
"securable," "object," or "other" and that its use of the word "local" is not with respect to a 
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group and its use of "administrators" is not with respect to a local administrators group. How 
then can [0004] of Shaji possibly support the rejection of claim 5? 

And moving on to claim 7, Appellant here as well rests on the arguments of record in its 

Appeal Brief. 

Patent Venture Group Respectfully Submitted, 

10788 Civic Center Drive, Suite 215 
Rancho Cucamonga, California 91730-3805 

Raymond E. Roberts 
Reg. No.: 38,597 
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Facsimile: (888) 847-2501 
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